Setup help for mac address shielding on university campus network

Hello guys!

I'll first try to explain my problem before I go into the specifics, but you can skip this if you want.

The (original) problem:
About a year ago I purchased a TP-Link TL-WA801ND v5 to serve as acces point on my wired university campus internet connection. Unfortunately, the default software of TP-link was extremely limited and didn't have an option to disable it's DHCP server and was therefore not good enough. At the time, I got help from the campus service center to install and configure openWrt. The result was a working configuration, but at the time only a snapshot of openWrt was available and it was unstable and slow. So I abandoned the network for a while and used the existing wireless network (with bad reception in my room).
Last week, I decided to check if there was perhaps an update for my device which could make the network more stable and solve my irritations. And so there was, hooray for the developers! I flashed the update via LuCi which seemed to increase wireless speed, so I was satisfied. Rookie mistake; I did not make a backup of my settings before flashing ('it doesn't work well now anyways...'). After rebooting, my settings were gone and I realized I did not flash a stable version, but again a snapshop. That part is solved now and I have stable version 19.07.01 which does seem to store settings in flash memory instead of ram. However, I lost my original settings and cannot figure out how I need to configure my device to behave in the way it did before.
The new problem:
I want the device to wirelessly extend an existing wired network, from which it should receive an IP address. To gain acces to the wired network, I must register the mac address of the device accessing it. This I have done for the acces point. Now In my previous setup, I did not have to register the mac addresses of the wireless clients connecting to my acces point. The acces point sort of seemed to 'shield' their mac addresses, or in any case: do the network requests with its own mac address. I want to replicate this behavior, but I do not know how I should setup the device.
Further, there are some SMB servers connected to the wired network, which I could previously acces from my acces point's wireless network, and I would also like to keep that behavior.
The person of the network service center who helped me previous time did this voluntarily, it is not an official service from them. Unfortunately, he does not work there anymore.

The specifics:

  • acces point connected to wired network for which it's mac address needs to be registered (and is)
  • acces point gets an IP address assigned by another DHCP server (I believe ipv6) on the wired network
  • wireless devices should connect to the acces point, but I cannot register all their mac addresses. The router should sort of 'shield' their addresses from the wired network
  • SMB servers are connected to the wired network, and need to be accessible from the wireless network
  • Preferably, I would have my wireless clients to be not accesible by any clients on the wired network
  • Preferably, I am able to SSH/LuCI into the router via the wireless network and NOT via the wired connection

I had this configuration before, so I know it should be somehow possible, but I do not know how.

FYI: the acces point has only one ethernet port.

The question:
Can someone help me with the configuration of my acces point? I have tried many configurations, but haven't been able to configure it correctly yet, and I am getting lost in the large sea of possibilities for configuration.

What I tried:

  • I tried the default bridge setup of openWrt and set the router as a DHCP client. This gave internet acces to the wireless clients, but only if their mac adress was registered. Also, I lost the ability to SSH into the acces point and from the Mac Adress Register Utility I have, it seemed as if the acces point was not on the network (it was not given an IP adress, while a (registered) wireless client was given an IP adress).
  • I tried to create two interfaces, one on the ethernet port in WAN and one on the wireless connection in LAN with a DNS server (at least, I think thats what I did. I reconfigured the default original 'bridge' config to only contain the wireless network). That gave comparable behaviour as above. Internet acces, but only for registered devices and no more SSH acces.

I am thankful for any help and suggested reading/information that you might have!

Thanks in advance.

It needs to be set up to NAT and route, not to bridge. This is the default setup for devices with more than one Ethernet port -- one is a connection to the WAN and the others are LAN. Parts of this setup remain in devices with only one port though so it is not hard to get set up that way. Since there is only one port, your private LAN network will be wireless and the campus WAN will be wired.

  • Start with a default configuration.
  • Set up encryption on the default wifi AP and enable it.
  • Disconnect the Ethernet cable and log into the router by wifi.
  • Create a new network, name it exactly wan (lower case), and use protocol DHCP client.
  • Make sure the wan network is attached to the wan firewall zone.
  • Attach the ethernet port to wan (physical settings) and remove the ethernet port from lan.
  • Plug ethernet cable into campus, it should get an IP address and start routing all your wireless users to the Internet.
  • The WAN MAC may be one number different from the sticker MAC that is registered. Either register this new MAC or force the old MAC in the wan network settings.
1 Like

Thanks a lot! That worked!

  • Make sure you do not uncheck the 'bridge interfaces' when removing eth0 from the lan interface.
  • Also, under system -> administration I chnaged dropbear Instance to listen only to the lan interface, for extra security. (it was set to 'all' by default)

The configuration prescribed by mk24 is very similar to what I tried, but I previously unchecked the 'bridge interfaces' in the Interface Setup. Somehow, after I do that, my clients lose connection both to the internet and to the router. No clue why. Perhaps someone else knows?

I agree it should work without a bridge. The configuration would resemble the routed AP example.

To remove the bridge, I suggest the following procedure which ensures the AP always remains accessible for management:

  • Plug the AP and a suitable wired client into the campus network. Take a note of their IP addresses.
  • Using a wireless client, set up a firewall rule to allow ssh or LuCI access from the wired client's IP address.
  • Now using the wired client, connect to the AP's WAN IP address.
  • Remove the LAN bridge and apply the new configuration. Since you are connected through the WAN interface, the AP should still be accessible.
  • Check connectivity using the wireless client.
  • If necessary, restart the wireless interface or reboot.
  • If it still does not work, check the network config.
  • When you are done, use the wireless client to remove the firewall rule.

Thanks for your thoughts.

For now, I wil keep the current setup. I do not see much harm in leaving the 'bridge' checkbox enabled, since there is only one physical network in that config.

Nevertheless, useful information for others!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.